- Implemented Apache HTTP capture using recvfrom syscall (model identical to nginx)
- Added sys_enter_recvfrom + kretprobe __x64_sys_recvfrom approach
- Renamed Apache BPF maps (apache_http_pid_map, apache_http_recv_args_map) to avoid conflicts with nginx
- Added support for recvfrom and recvmsg syscalls (recvmsg support incomplete)
Test results:
- Rocky 9 (kernel 5.14): nginx HTTP capture works perfectly with full headers
- Rocky 10 (kernel 6.12): Apache HTTP capture NOT working (headers=0)
- CentOS 8 (kernel 4.18): Apache HTTP capture NOT working (headers=0)
Root cause: Apache event MPM uses async epoll model that doesn't trigger
recvfrom syscalls the same way as nginx. Further investigation needed
for Apache-specific capture methods.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Rename apache_pid_map to apache_http_pid_map
- Rename apache_read_args_map to apache_http_recv_args_map
- Update all references in C code and Go loader
- Attempt both tracepoints and kretprobe for Apache HTTP capture
Test results:
- Rocky 9 (kernel 5.14): nginx HTTP capture works perfectly
- Rocky 10 (kernel 6.12): Apache HTTP capture not working (headers=0)
- CentOS 8 (kernel 4.18): Apache HTTP capture not working
The issue appears to be that Apache event MPM may not use recvfrom()
in the same way as nginx, or uses a different code path.
Further investigation needed for Apache HTTP capture.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Add uprobe_apache.c with kretprobe on __x64_sys_recvfrom for Apache HTTP capture
- Update loader.go to support unified "servers" configuration instead of separate nginx_bin_path/apache_enabled
- Add consumeApacheHTTPEvents() function to process Apache HTTP events
- Update bpf_types.h to add Apache-specific BPF maps and structs
- Fix perf event array value_size for pb_apache_http (must be sizeof(__u32) not struct size)
- Add NGINX_APACHE_GUIDE.md documentation for HTTP capture from both servers
Validation results:
- nginx HTTP capture: ✅ Working (57 headers captured, no truncation)
- Apache HTTP capture: ⚠️ Under investigation (kretprobe not triggering on CentOS 8 kernel 4.18)
Configuration:
- JA4EBPF_UPROBES_ENABLED=true
- JA4EBPF_UPROBES_SERVERS=nginx,apache (or "both")
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
